HIPAA Compliance

HIPAA Compliance


The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. The legislation was designed to make it easier for workers to retain health insurance coverage when they change or lose their jobs. The legislation also sought to drive the adoption of electronic health records to improve the efficiency and quality of the American healthcare system through improved information sharing.

Along with increasing the use of electronic medical records, the law included provisions to protect the security and privacy of Protected Health Information (PHI). PHI includes a very wide set of personally identifiable health- and health-related data, from insurance and billing information, to diagnosis data, clinical care data, and lab results such as images and test results. The rules apply to “Covered Entities”, which include hospitals, medical services providers, employer sponsored health plans, research facilities and insurance companies that deal directly with patients and patient data. The law and regulations also extend the requirement to protect PHI to “Business Associates”.

HIPAA was expanded by the Health Information Technology for Economic and Clinical Health Act in 2009. HIPAA and HITECH establish a set of federal standards intended to protect the security and privacy of PHI. These provisions are included in what are known as the “Administrative Simplification” rules. HIPAA and HITECH impose requirements related to the use and disclosure of PHI, appropriate safeguards to protect PHI, individual rights, and administrative responsibilities. For additional information on how HIPAA and HITECH protect health information, visit: http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that seeks to improve the efficiency of the healthcare industry while ensuring the security and confidentiality of patient health information. HIPAA generally applies to “covered entities” (including any healthcare provider) and “business associates” (any third party engaged by a covered entity to help carry out its healthcare activities and functions). Thus, under HIPAA, you are a covered entity and Hoot Myopia Care (Hoot Health, Inc.) is your business associate.


HIPAA privacy regulations require that you and your business associates develop and follow procedures that ensure the confidentiality and security of your patients’ protected health information (PHI) whenever it is transferred, received, handled, or shared. This requirement applies to all forms of PHI, whether on paper, in oral communications, or in electronic format. Furthermore, only the minimum health information necessary to conduct business is to be used or shared.
As your business associate, Hoot Myopia Care (Hoot Health, Inc.) follows detailed policies governing the protection of your patients’ PHI, including employing administrative, physical, and technical safeguards as required by HIPAA rules and regulations. You can be confident that we will protect your patient data to help you stay compliant.


Providers may be concerned that cloud-based platforms are more vulnerable to Internet-based attacks, but—with the proper security measures in place—cloud-based solutions carry no more threat of data breach than on-site data storage. In fact, a quality cloud-based software can be more secure because it is more closely monitored; small businesses like healthcare practices can’t typically afford to staff team members responsible for managing the security of their server. The encrypted data stored within the Hoot Myopia Care (Hoot Health, Inc.) platform is constantly monitored by experts who are committed to keeping your data safe. With the peace of mind that comes with choosing Hoot Myopia Care (Hoot Health, Inc.), some of the complexity involved in staying compliant with HIPAA regulations is alleviated.


Our technology is stored and hosted using WP Engine.

There is no HIPAA certification for a cloud provider such as WP Engine. In order to meet the HIPAA requirements applicable to our operating model, WP Engine aligns our HIPAA risk management program with FedRAMP and NIST 800-53, a higher security standard that maps to the HIPAA security rule. NIST supports this alignment and has issued SP 800-66, “An Introductory Resource Guide for Implementing the HIPAA Security Rule,” which documents how NIST 800-53 aligns to the HIPAA Security rule.


The Hoot Myopia Care (Hoot Health, Inc.) Platform is designed to give you the most functionality possible when it comes to sharing content, managing communication between you and parents and managing workflow for your myopia management program, while also helping you stay compliant. It is also your responsibility to promptly respond to and immediately honor all patient or parent requests to opt-out or unsubscribe from your program.


Please note that, while we are dedicated to giving you tools that will help you stay compliant with HIPAA and other regulations, the information we provide is not legal advice. You are responsible for ensuring the compliance of your myopia management program. We encourage you to seek out competent legal counsel for specific direction and guidance.